Stultitia Delenda Est

MockSec Interview, Question 1

A dev team wants to develop an emergency response app. They want users to enter their personal details, including name, home address, and emergency contact details, as well as medical information (blood type, allergies, existing medical conditions, etc.) into a smart phone app. They plan to combine this data with GPS information from the user’s phone and store it in via a service layer into a centralized database. That way, when a natural disaster occurs, first responders can know who was in the effected area, as well as access up-to-date health information about them, in case they need medical attention.

The information will also be persisted locally on the device and, if the user is detected to have been in an area effective by a natural disaster, the back-end service will send a push notification so that the user’s personal information will be displayed on the lock screen. This is so that anyone who finds the phone can help that person appropriately.

They expect the app to be free, but service-enabled features to cost a modest monthly fee. User’s provide their credit card details via the app when they sign up, but the payment functionality is handled by a third party.

There is no web interface of any kind.

The devs have come to you to help them develop their threat model. What are some threats that the system (as described) needs to account for? What controls would you tell the developers to put in place to help mitigate those threats?

Magic Blue Smoke

House Rules:

1.) Carry out your own dead.
2.) No opium smoking in the elevators.
3.) In Competitions, during gunfire or while bombs are falling, players may take cover without penalty for ceasing play.
4.) A player whose stroke is affected by the simultaneous explosion of a bomb may play another ball from the same place.
4a.) Penalty one stroke.
5.) Pilsner should be in Roman type, and begin with a capital.
6.) Keep Calm and Kill It with Fire.
7.) Spammers will be fed to the Crabipede.